A significant problem facing the Internet community is that web sites and web applications are vulnerable to malicious attacks. A web application is executed by a server and is accessed by a client over a network, e.g., the Internet. To be protected, companies heavily invest in security solutions, such as anti-virus software and firewalls. However, as security solutions become more and more advanced so do web attacks. Web attacks may be in form of viruses, worms, Trojan horses, script-based, system intrusions, and many others. Such attacks allow the attacker to control computers, access confidential information, and destroy valuable data.
As illustrated in FIG. 1, an application level security system 107 is typically deployed between an application server 102 (executing the protected web application) and a client 108. The security system 107 is adapted to identify malicious traffic that contains potential attacks. Once an attack is detected, the security system 107 may either block incoming traffic to the server or modify the traffic. The security system 107 should process legitimate traffic and relay such traffic to the application server 102.
The security system 107 identifies and blocks malicious traffic using a security policy stored in a repository 106. Specifically, the security system 107 receives a request from the client 108 and checks if the request is compliant with a security policy stored in the repository 106. If so, the security system 107 forwards the request to the application server 102; otherwise, the request is either blocked or manipulated according to the security policy. The security system 107 also processes responses received from the application server 102, that are responsive to the client's requests. A response is also checked against the security policy to determine whether the response is valid. If the response is compliant with to the policy, it is forwarded to the client 108; otherwise, the response is either blocked or manipulated (e.g., replaced with an informational response). The actions for handling responses are also defined in the security policy.
As can be understood from the above discussion, the security policy has an important role in the protection of web applications. Thus, it is important to define and maintain a security policy that, on the one hand, would efficiently block attacks, and, on the other, would not block legitimate traffic.
Some prior art solutions suggest that a user manually define a security policy (e.g., a system administrator). This type of security policy includes blocking rules against well-known vulnerable patterns and/or vulnerable application paths. However, such solutions cannot provide efficient protection, as some attacks are not always characterized by well-known patterns or paths. Further, the protected applications are dynamically changed by programmers and the system administrator often does not have full control over all these rapidly occurring changes, many of them being reported afterwards, if at all. Thus, the policy is statically enforced, and thus the protected applications remain vulnerable.
Other solutions suggest periodically checking the compliance of the application against a user-defined security policy and if flaws in the application are detected, then the enforced policy is updated. Typically, the monitoring is performed by sources (such as network and security scanners) that provide flaw reports. The reports are then consolidated with the user-defined policy. The disadvantage of such solutions is that the scanners cannot cover the entire application, as some application's resources cannot be accessible. Further, flaws that can be abused by zero-day attacks cannot be detected by the scanners. Hence, the scanners in most cases do not provide a complete flaw report, and thus the protected web applications remain vulnerable.
It would be, therefore, advantageous to provide a solution for generating an adaptive enforceable security policy for efficient protection of web applications.